Here is a work in progress fixlet/task to run the Logpresso log4j2-scan.exe but without the actual run command:
Working to add and test the run command now. Hope to have something in the next hour or so.
1 Like
Amazing thanks you. Linux is just as high priority 
1 Like
Yep, the fixlet/task for Linux should be almost identical. Just need a tar command to extract instead of unzip.exe and using /tmp instead of /Windows/Temp
Will work on Linux next.
Just need to target fixed disks on Windows and exclude NFS on Nix.
1 Like
Yeah, that is a challenge to craft the command to do the right thing for *nix, potentially scan / but exclude mounts
…and cifs
…and gpfs
(* and ‘find’ doesn’t recognize the ‘cifs’ filesystem as a type directly, at least on some platforms)
In the case of the Logpresso utility on *nix, it might just be as simple as targeting / but excluding mounts and drives so that you scan only the equivalent of “C: Drive” on windows.
I would love help for what the best command example for Logpresso would be to achieve this on *nix.
This has been updated for running the logpresso utility and including an action for windows:
I need to replicate the same for *nix and create an analysis to read the results.
Example results:
Logpresso CVE-2021-44228 Vulnerability Scanner 1.6.2 (2021-12-16)
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\APP_EXAMPLE\bin\jdbcserver.jar, log4j 2.13.1
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\APP_EXAMPLE\bin\oauthservice.jar, log4j 2.13.1
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\APP_EXAMPLE\bin32\jdbcserver.jar, log4j 2.13.1
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\APP_EXAMPLE\bin32\oauthservice.jar, log4j 2.13.1
Running scan (9s): scanned 7403 directories, 66708 files, last visit: C:\Program Files\APP_EXAMPLE\Local\Maps\CN\normal\5\14
Running scan (20s): scanned 15260 directories, 139207 files, last visit: C:\ProgramData\Microsoft\Windows\AppRepository\Packages\FOLDER_EXAMPLE1
Running scan (30s): scanned 29093 directories, 197700 files, last visit: C:\Windows\servicing\LCU\FOLDER_EXAMPLE2
Running scan (42s): scanned 43760 directories, 252254 files, last visit: C:\Windows\servicing\LCU\FOLDER_EXAMPLE3
Running scan (52s): scanned 59217 directories, 322124 files, last visit: C:\Windows\WinSxS\FOLDER_EXAMPLE4
Running scan (62s): scanned 78733 directories, 379013 files, last visit: C:\Windows\WinSxS\Temp\InFlight\FOLDER_EXAMPLE5
Scanned 89523 directories and 387921 files
Found 4 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 65.84 seconds
Notice how this found affected JARs that are NOT named for log4j
2 Likes
I have made a minor edit to target all fixed disks (untested currently)
runhidden CMD /C {windows folder}\Temp\log4j2-scan.exe --drives {concatenations "," of preceding texts of firsts ":" of names of drives whose (type of it = "DRIVE_FIXED")} > "{parameter "ListFile"}" > "{parameter "ListFile"}"
2 Likes
This should be correct. I’m not 100% certain if it will always exclude network disks depending on how they are mounted, particularly an iSCSI drive, but that is a pretty small edge case.
Also, some external disks will show up as DRIVE_FIXED in some cases, but as long as that device is not shared and is exclusive to the client running the scan, that will only cause a longer scan, but less likely to cause problems.
1 Like
I’ll get a fixlet posted without the run command for *nix soon. Probably need help figuring out the right command line parameters to exclude network drives and mounts and stuff.
You might need the following:
runhidden CMD /C {windows folder}\Temp\log4j2-scan.exe --drives {concatenations "," of unique values of (it as lowercase) of preceding texts of firsts ":" of names of drives whose (type of it = "DRIVE_FIXED")} > "{parameter "ListFile"}"
1 Like
Here is a preview of the Linux one that does not actually have the run command set up yet. I also haven’t tested the TAR command fully.
works perfectly, nice !
//Vulnerable files
preceding texts of firsts "," of following texts of firsts "vulnerability in " of lines whose (it as lowercase does not contain " (mitigated)" as lowercase) of files ((pathname of parent folder of regapps "besclient.exe") & "\BPS-Scans\results-log4j2-scan.txt")
//Mitigated files
preceding texts of firsts "," of following texts of firsts "vulnerability in " of lines whose (it as lowercase contains " (mitigated)" as lowercase) of files ((pathname of parent folder of regapps "besclient.exe") & "\BPS-Scans\results-log4j2-scan.txt")
1 Like
This makes sense, nice!
I would write this part a bit differently to be more cross platform and flow more right to left.
Like this:
files "results-log4j2-scan.txt" of folders "BPS-Scans" of parent folders of parent folders of client folders of sites "actionsite"
This is actually not as compact as it could be, but this should work on all bigfix clients on all platforms since probably 8.0
1 Like
One huge thing I am missing, I don’t know how to exclude remote mounts / network shares on Linux for the Log4J scan utility. Might be able to build an exclude path list using relevance, but I am unsure exactly what it should include and I don’t currently have any shares on Linux in my lab to test with.
Should go comment this is needed on the following issue(s):
Thanks so much for your hard work. I will test soon!
Here is an analysis to collect the results of the Logpresso scan utility:
Here is the task to run the utility on Windows:
Here is the task to run the utility on Linux: (I am not certain I am sufficiently excluding network drives!!!)
- https://github.com/jgstew/bigfix-content/blob/master/fixlet/Logpresso%20log4j2-scan%20-%20Linux%20x64.bes
- equivalent command:
sudo sh -c 'cd /tmp && ./log4j2-scan --exclude /mnt --exclude /cdrom --exclude /dev /
Right now, these do not make changes, these are reporting only. You can modify them to do the fix by adding to the command, but proceed with caution!
And again, specifically on Linux, I don’t think I am excluding all possible network drives! You should proceed with caution if you know your linux devices have remote mounts / network drives!
Please provide feedback on your testing, especially any refinements you would recommend for excluding obvious network drives or other folders you think should be excluded on Linux or Windows.
There is the possibility of using this same utility on platforms other than x64 Linux/Windows by running it with a portable or already installed JRE and using the JAR file from the logpresso repo. I have not explored this yet, and it is much more complex.
You guys work fast while I was sleeping haha.
I have a method to exclude from Linux
And to run through java jar file on all systems becusee only x64 support and only win and Linux is insufficient.
Anyway, try this for size, I just got up and will resume testing on other is but works on Linux
mount -l | grep 'type cifs\|type nfs' | sed 's/.* on \([^ ]*\) .*/\1/'
My plan was to output this to file and use for exclusion, also I’ll test out multiple OS hopefully with it
Bada Bing, Bada boom
Also since its not a secret and its all hands in:
My plan for running java jar only for ALL scans inclusive comes from downloading OpenJDK JRE (40MB per system) and extracting (not installed) and running through it.
Adoptium Temurin 11 JRE’s only to keep size down for everything except SunOS
Adoptium Temurin 8 JRE for SunOS only
Test on win10, dont have Oracle JRE, nor do I intend to, their licensing is enough to make your head fall off
1 Like